Pre-Christmas 2010 will be remembered as the time when well-known online brands and websites started to fall to hackers. The biggest of them all so far has been Gawker, and we’ve also seen McDonalds have its databases compromised this week. But that’s not the end of the security breaches.

Today deviantART, the largest online community of artists, has announced its user database has also been compromised. The fallout being up to 13 million user e-mail addresses, usernames, and birth dates being exposed and likely used by spammers.

The breach occurred through Silverpop System Inc. It’s a marketing company deviantART uses to communicate with its users through a mailing list, but now seems to be a weak point in securing user data. The company is assuming the data was stolen by spammers.

The only saving grace is passwords were not taken, so if you have a deviantART account it has not been compromised. What it will likely result in is a lot more spam e-mails being directed to those 13 million accounts.

The data stolen also brings up a few questions. Most importantly why is the site sharing date of birth information with a marketing company? Is it for more targeted advertising? If this is the case it should stop, as a number of sites still rely on date of birth as a security question.

Although fairly harmless on its own, a date of birth combined with an e-mail address may be enough to compromise security on other sites. For example, you have an e-mail and password login with date of birth check for recovering that password.

[Remember too that Spammers could be building a dossier database similar to the ones Behavioral Advertisers construct. Bob]

This would be funny if it wasn't yet another indication of a failure to understand basic security practices.

A Lynn man pleaded guilty in federal court today to selling and using the names, dates of birth, and Social Security numbers of Transportation Security Administration employees who worked at Logan Airport.

Michael Debring, A/K/A Michael Washington, 49, pleaded guilty before U.S. District Judge Nathaniel M. Gorton to conspiracy, misrepresenting a Social Security number with intent to defraud, possessing 15 or more unauthorized access devices with intent to defraud, and aggravated identity theft.

At today’s plea hearing, the prosecutor told the Court that had the case proceeded to trial, the Government’s evidence would have proved that between July 2008 and December 9, 2009, Derring and his co-conspirator, Tina White, opened accounts using TSA employees’ identities to obtain gas, electric, cable television, telephone, and other services for themselves and their relatives, friends and customers. Some recipients of the services would not pay the bills, knowing that the account-holder details did not match the recipients’ identities.

… Derring obtained the names, dates of birth, and Social Security numbers of employees who worked for TSA at Logan Airport from a relative who worked as a contractor at TSA’s department of human resources.

"Debora Plunkett, head of the NSA's Information Assurance Directorate, has confirmed what many security experts suspected to be true: no computer network can be considered completely and utterly impenetrable — not even that of the NSA. 'There's no such thing as "secure" any more,' she said to the attendees of a cyber security forum sponsored by the Atlantic and Government Executive media organizations, and confirmed that the NSA works under the assumption that various parts of their systems have already been compromised, and is adjusting its actions accordingly."

Yet another indication that Politicians aren't like us second class citizens...

The NSW Parliament will not discipline or even identify staff members or MPs who used the parliamentary computer system to access websites that contained ”sexually explicit images of young people”.

The Speaker of the Legislative Assembly, Richard Torbay, and the President of the Legislative Council, Amanda Fazio, have declared the matter closed despite confirmation that nine inappropriate websites were accessed.

In a statement yesterday, they confirmed that advice from the Crown Solicitor was that there was ”no legal obligation to refer the information in the report to the NSW Police Force”.

The identity of the staff or MPs who accessed the pornographic sites will remain secret, ensuring no one can be disciplined, despite an obvious breach of the Parliament’s IT guidelines.

Now, see, I wouldn’t think that public officials using publicly funded work-related computers should have an expectation of privacy if they engage in such conduct.

[From the article:

Ernst & Young was commissioned to review the internet filter after a parliamentary human resources executive, Lisa Vineburg, commissioned an unauthorised audit [I wonder if she got canned? Bob] of internet use by all MPs and staff.

The raw data ended the ministerial career of the MP for Heathcote, Paul McLeay, who resigned after he learned details of his internet use had been leaked to the media. He admitted he had repeatedly visited pornographic and gambling sites from the parliamentary computer system.

I'm not sure I fully agree with this. If it is okay for the cops to follow someone without a warrant (it is, isn't it?) why can't they use technology to make their work more efficient? Is it the “sneaking onto private property to attach the device” that is the real concern? How about remotely turning on the OnStar or other devices in the car to report locations visited?

The Delaware Superior Court has ruled that police must obtain a warrant before using GPS devices to monitor vehicles. The Court said that the Delaware Constitution protects its citizens’ reasonable expectation of privacy from “constant surveillance.” “Everyone understands there is a possibility that on any one occasion or even multiple occasions, they may be observed by a member of the public or possibly law enforcement,” the Court reasoned, “but there is not such an expectation that an omnipresent force is watching your every move.” In a related case, the Massachusetts Supreme Court held that a warrant is required for the use of a GPS tracking device. EPIC filed an amicus brief in that case.

Susan Freiwald, one of the law professors whose articles were cited in the recent Warshak decision, has this commentary and analysis on Concurring Opinions:

Finally! A Federal Appellate Court has brought the Fourth Amendment to stored email! On December 14th, in United States v. Warshak, the 6th Circuit held that when government agents compel an Internet Service Provider (ISP) to disclose its user’s stored emails, they invade the user’s reasonable expectation of privacy, which constitutes a search under the Fourth Amendment and requires a warrant or an applicable exception.

In a 2007 decision, a panel of the 6th Circuit found a reasonable expectation of privacy (REP) in Warshak’s stored emails when he sought an injunction, but the 6th Circuit, en banc, vacated that decision the next year on ripeness grounds. The case decided three days ago concerned Warshak’s appeal of his criminal conviction of an array of charges related to fraudulent business practices. The trial was long and involved (and much of the decision concerns other issues). As part of the investigation, prosecutors seized 27,000 of Warshak’s private emails, ex parte, and without first getting a warrant. Along with Patricia Bellia, of Notre Dame, I wrote an amicus brief for law professors prior to the 2007 decision, and have written law review articles (with Tricia) on the topic since. Below, I explain the court’s constitutional analysis, discuss why this discussion was so long in coming and share some thoughts about the future.

"According to reports from the Uriminzokkiri, the official website of the Democratic People's Republic of Korea, a war with South Korea would involve nuclear weapons, and '[will] not be limited to the Korean peninsula.' The article goes on, 'The Korean peninsula remains a region fraught with the greatest danger of war in the world. This is entirely attributable to the US pursuance of the policy of aggression against the DPRK (North Korea).'"

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.